2

I'm trying to figure out how Ansible-Vault passwords would've been used in a production environment. I've watched countless of vidoes and tutorials on how to use "Ansible-Vault", they have all conclude with the same thing:

  1. Encrypt your file with sensitive variables using ansible-vault encrypt

  2. Store your vault-password in a text file and use this when running the playbook: ànsible-playbook --vault-password-file passwordFile myPlaybook.yml

The problems I don't seem to understand is:

  1. The vault password in stored in plaintext which is a security issue

  2. How do I integrate the password file into a script (if that is needed). If I encrypt the password file it creates new issues which need to be resolved.'

It's probably my ignorance, but to me all of it seems more like a hassle...

Thanks.

user17378
  • 123
  • 1
  • 5

2 Answers2

0

In Ansible-Engine the password will be exposed at any cost. There is no mechanism yet to handle this scenario in Ansible-Engine or Ansible OpenSource Version. Ansible Tower has solution in place for this, which will encrypt and store the vault password in Master nodes.

If you are using any DevOps Pipeline - create environment variables from Jenkins for password file path or actual value.

If you are on AWS or any cloud platform - use any Encryption mechanism to encrypt the value.

SairamS
  • 41
  • 1
0

Just to add a note to this question:

I agree that the Ansible-vault password must be exposed at some point. A solution to this could be: pass (The Standard Unix Password Manager). Where each password lives inside a GPG-encrypted file, which again can be shared internally among Linux admins etc.

user17378
  • 123
  • 1
  • 5